typescript - 资源创建破坏堆栈部署
问题描述
因此,我正在尝试对使用 AWS Config 和大约 14 条托管规则所需的所有基础设施进行干净部署。当 AWS Config 已经在特定账户中启用时,我遇到的问题出现了,因为它不喜欢我尝试重新部署必要的 Infra(配置记录器和配置交付通道)。我正在尝试设置我的逻辑,以便在现有基础架构出现错误时立即尝试部署规则。这是我的代码:
import cdk = require('@aws-cdk/core')
import lambda = require('@aws-cdk/aws-lambda');
import path = require('path')
import s3 = require('@aws-cdk/aws-s3');
import iam = require('@aws-cdk/aws-iam');
import config = require('@aws-cdk/aws-config');
import { ManagedRule } from '@aws-cdk/aws-config';
import events = require('@aws-cdk/aws-events');
import targets = require('@aws-cdk/aws-events-targets');
import { Arn, Aws } from '@aws-cdk/core';
import core = require('@aws-cdk/core')
import { allowedNodeEnvironmentFlags, env } from 'process';
import { SnsTopic } from '@aws-cdk/aws-events-targets';
import * as deliveryChannelConfigStack from '../lib/deliveryChannelConfig';
export class fullConfigStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const globalConfigRole = new iam.Role(this, 'globalConfigRole', {
assumedBy: new iam.ServicePrincipal('config.amazonaws.com'), // required
});
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSConfig'));
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess'));
const globalConfigRecorder = new config.CfnConfigurationRecorder(this, 'globalConfigRecorder',{
roleArn: globalConfigRole.roleArn,
name: 'globalConfigRecorder',
recordingGroup: {
allSupported: true,
includeGlobalResourceTypes: true
}
});
const globalConfigBucket = new s3.Bucket(this, 'globalConfigBucket',{
accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const cisConfigDeliveryChannel = new config.CfnDeliveryChannel(this,'cisConfigDeliveryChannel',{
s3BucketName: globalConfigBucket.bucketName,
configSnapshotDeliveryProperties: {
deliveryFrequency: 'TwentyFour_Hours'
}
});
const generalConfigRole = new iam.Role(this, 'generalConfigRole',{
assumedBy: new iam.ServicePrincipal('config.amazonaws.com')
});
const cloudTrailEnabledRule = new ManagedRule(this, 'cloudTrailEnabledRule', {
identifier: 'CLOUD_TRAIL_ENABLED'
});
const userGroupMembershipRule = new ManagedRule(this, 'userGroupMembershipRule',{
identifier: 'IAM_USER_GROUP_MEMBERSHIP_CHECK'
});
const rootAccountMfaEnabledRule = new ManagedRule(this, 'rootAccountMfaEnabledRule',{
identifier: 'ROOT_ACCOUNT_MFA_ENABLED'
});
const accessKeysRotatedRule = new ManagedRule(this, 'accessKeysRotatedRule',{
identifier:'ACCESS_KEYS_ROTATED',
inputParameters: {
maxAccessKeyAge: 90 //rule triggers off of config change and keys must be rotated within 100 days
}
});
const iamPasswordPolicyRule = new ManagedRule(this, 'iamPasswordPolicyRule',{
identifier: 'IAM_PASSWORD_POLICY',
inputParameters: {
RequireUppercaseCharacters: true,
RequireLowercaseCharacters: true,
RequireSymbols: true,
RequireNumbers: true,
MinimumPasswordLength: 14,
PasswordReusePrevention: 24,
MaxPasswordAge: 90
}
});
const cloudTrailEncryptionRule = new ManagedRule(this, 'cloudTrailEncryptionRule' ,{
identifier:'CLOUD_TRAIL_ENCRYPTION_ENABLED',
});
const defaultSecurityGroupEniRule = new ManagedRule(this, 'defaultSecurityGroupEniRule',{
identifier:'EC2_SECURITY_GROUP_ATTACHED_TO_ENI'
});
const ebsVolumeEncryption = new ManagedRule(this, 'ebsVolumeEncryption',{
identifier:'EC2_EBS_ENCRYPTION_BY_DEFAULT'
});
const rdsStorageEncryptionRule = new ManagedRule(this, 'rdsStorageEncryptionRule',{
identifier: 'RDS_STORAGE_ENCRYPTED'
//This may need the arn of the kms key used for encryption
});
const s3ConfigLoggingEnabledBucket = new s3.Bucket(this, 's3ConfigLoggingEnabledBucket',{
accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const s3BucketLoggingEnabledRule = new ManagedRule(this, 's3BucketLoggingEnabledRule',{
identifier: 'S3_BUCKET_LOGGING_ENABLED',
// inputParameters: {
// targetBucket: s3ConfigLoggingEnabledBucket,
});
const s3BucketServerSideEncryptionRule = new ManagedRule(this, 's3BucketServerSideEncryptionRule',{
identifier:'S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED'
});
const vpcFlowLogsEnabledRule = new ManagedRule(this, 'vpcFlowLogsEnabledRule',{
identifier:'VPC_FLOW_LOGS_ENABLED',
inputParameters: {
trafficType:'ALL' //vpcs must track all traffic (ALLOW and DENY) with this rule
}
});
const vpcDefaultSecurityGroupRule = new ManagedRule(this, 'vpcDefaultSecurityGroupRule',{
identifier:'VPC_DEFAULT_SECURITY_GROUP_CLOSED'
});
const mfaEnabledForConsoleAccessRule = new ManagedRule(this, 'mfaEnabledForConsoleAccessRule',{
identifier: 'MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS'
});
const rdsMultiAvailZoneRule = new ManagedRule(this, 'rdsMultiAvailZoneRule',{
identifier:'RDS_MULTI_AZ_SUPPORT'
});
const iamUserUnusedCredentialsRule = new ManagedRule(this, 'iamUserUnusedCredentialsRule',{
identifier: 'IAM_USER_UNUSED_CREDENTIALS_CHECK',
inputParameters: {
maxCredentialUsageAge: 90
}
});
正如您在代码中看到的,我正在创建一个角色,一个配置记录器、configBucket、交付通道和大约 14 个托管规则。现在,如果我将此代码分成 2 个不同的堆栈,一个只是基础设施,一个是规则。无论它们是否已经部署,它们自己的规则都可以很好地部署。但是,如果我尝试部署整个东西,我会收到以下错误:
You must create a configuration recorder before you can create or update a Config rule. (Service: AmazonConfig; Status Code: 400; Error Code: NoAvailableConfigurationRecorderException; Request ID: a2951019-1
d7b-44a9-8df2-83e6a4a0e229; Proxy: null)
我认为我得到这个的原因是因为记录器需要更长的时间来部署,因此程序会尝试继续执行规则并排除错误。我的问题是,有没有办法让程序等到记录器和传输通道完成?或者,我可以在另一个堆栈中执行此操作并使用 IF、ELSE 逻辑或类似的东西来引用堆栈吗?谢谢你们!
解决方案
根据文档:
有时 AWS 资源依赖于其他资源,必须先完成一个资源的创建,然后才能开始下一个资源。
如果您需要添加不是自动推断的排序依赖关系,您可以通过使用constructA.node.addDependency(constructB) 添加依赖关系来实现。
您可以在资源之间添加其他依赖项,如下所示:
globalConfigRole.node.addDependency(globalConfigRecorder)
推荐阅读
- spring-security - 在 Quarkus 中,@PreAuthorize 注释不适用于 quarkus 对 spring 安全性的扩展
- python - Python tkinter Treeview 从元组填充
- c# - 如何根据子标签调整 UserControl 的宽度和高度?
- r - 从 lavaan SEM 模型开始,cor2cov 不会重现原始的 cor 矩阵
- postgresql - 如何将 NULL 视为 MAX 日期而不是在 PostgreSQL 中忽略它?
- python - 如何从另一个文件向类添加方法?
- python - 如何拦截从我的 Linux 设备发出的所有请求?
- .net-core - V4 管道在存档 (Zip) 文件阶段失败
- python - 使用请求python在亚马逊获取联系我们页面的问题
- calculated-columns - 从具有最高值的行返回地址并对所有值列求和